A new Mac OS X Trojan Horse called "Flashback" attempts to trick users into installing it by appearing as Adobe's Flash Player installer package.

The Trojan Horse, discovered by security firm Intego, has been found on malicious web sites that invite users to install the phony Flash Player, telling them it is required to access certain content. Since Mac OS X Lion doesnt come with Flash preinstalled, users must manually install it. Intego categorized the threat from Flashback as "low."

The new malware is said to specifically target Lion, and replicates the look and feel of the real Flash installer. It includes design elements and logos that could convince some users it is the actual official software from Adobe.

Once the Trojan is installed on the system, it will delete the installer package and deactivate some network security software. The code used by Flashback can be injected in certain applications run on the computer and the Trojan can connect to remote servers in order to send specific information about the infected computer -- including its MAC address, which is a unique identifier for every machine.

Lion users can protect themselves by downloading the official Flash Player installation player from Adobe. Users should also check the origin of any file claiming to be a Flash Player installer.

Users should also uncheck the "Open 'safe' files after downloading" option in Apple's Safari browser under General Preferences. This will help ensure that the Flashback installer is not automatically run if downloaded.

Users can also manually check to see whether they were infected by looking for the file "~/Library/Preferences/Preferences.dylib" on their Mac.

Apple has already distributed a malware definition update to block another Trojan horse, Trojan-Dropper:OSX/Revir.A, described late last week as a malicious program posing as a PDF download.

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.

I somewhat agree, but we've also seen how good Heuristics-Based AV has been working on Windows over the last couple decades... so obviously the magic bullet has yet to be found.

I think Apple is in a favourable position, in regards to black-lists, simply because they have the opportunity to start from the beginning. By the time MS realized they were vulnerable to viri, they were a long way behind the 8-ball.

Obviously, as nearly all Heuristic scanners will attest to, the best solution at the moment is actually a two-fold attack -- using both black-lists and Heuristics.

Apple has taken care of the black-list part, it's up to the user to find a Heuristics scanner that works.

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.

For now a blacklist approach is far superior to the resource-intensive heuristic scanners which are necessary in Windows. If we get to a point where there are too many threats for Apple to handle easily then a heuristic approach will probably become the better choice. Additionally, trojans, depending on what they do once installed, often-times require some slightly more specific targeting (thus a definitions list update) to stop efficiently.

The true measure of a man is how he treats someone that can do him absolutely no good. Samuel Johnson

Obviously, as nearly all Heuristic scanners will attest to, the best solution at the moment is actually a two-fold attack -- using both black-lists and Heuristics.

No doubt. And being wise about what you click on is a good idea as well. I'm using a couple of free solutions for firewall and AV, set to monitor continuously. AdWare is taken care of occasionally, if as when necessary.

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

Save all documents and personal data to a backup. Wipe and install the OS. Update it to the latest version. Then use Migration Assistant to reclaim docs and applications.

I regularly maintain my Mac with MainMenu Pro as well. It makes running maintenance scripts a breeze along with cleaning system/user cache and rebuilding spotlight when necessary.

Quote:

Originally Posted by RepreeThis

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

Save all documents and personal data to a backup. Wipe and install the OS. Update it to the latest version. Then use Migration Assistant to reclaim docs and applications.

Why would you do that?

Why not create a new user, see if that one is 'slow'. If it is not then you know its a setting/file issue on his Dads user account. Its incredibly unlikely that he has any malware and if he indeed has no malware you may actually identify what he has done to make it slow and prevent him from doing it again.

He's asking a question that he wouldn't need to ask if he spent twenty seconds and read the actual article, but that's not trolling.

Astro-turfing has become more sophisticated, more like astro-landscape gardening these days. I wonder how long before the original post is reposted on a Windows/Android forum as proof of Macs' vulnerability? 'Even posters on rabid Apple fan site AppleInsider are complaining...' etc etc.

Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.Buddha

I'm sorry I'm a little lost here. So if I download Adobe Flash my computer will be safer?

Did I wake up in another dimension?

Haha, no. It means if you get a message that you need to download flash, go to Adobe and get the official flash update, not one from another site. It won't make your computer safer, it will just prevent you from downloading the trojan.

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

The new malware is said to specifically target Lion, and replicates the look and feel of the real Flash installer. It includes design elements and logos that could convince some users it is the actual official software from Adobe.

Are they smoking crack?! This installer looks nothing like Adobe's official Flash updater.

Quote:

Originally Posted by ConradJoe

That's the problem with blacklists as an exclusive method. They need to be updated constantly. Heurisitics-based AV has been around for decades.

Actually you are thinking viruses, which some malware just happens to include. All malware detection is blacklist based, which is why it is such a problem. You can install anything you want on your system made by anyone, so if you are gullible enough to run it there is nothing your system can do to stop it.

Blacklists that are maintained globally & updated real time are actually very effective & probably far more so than heuristics. In fact what I'd like to see is for Apple to use push technology for Macs so that instead of checking 1 a day they actually get notified immediately when an update is released & download it immediately. One of the most powerful features of an IDS/IPS system is global correlation, realtime updated blacklist contributed to by parties all around the world.

My father is incredibly gullible... He somehow manages to pick up most Trojans/malware/etc. out there. Now his Mac is painfully slow. I'm going to visit home this weekend, and I would like to tune-up his Mac. Is there a universal method to rid his computer of all malicious content? Thanks

A lot of things can slow down a system besides just malware, first thing I would do is run a permissions repair on his drive and reboot. You may also need to re-download latest combo update for his system & install it.

If he is on Snow Leopard make sure he has the option set to check against Apple for the malware blacklist. If he is still getting every new malware out there after that then it's time to take his computer away cause that takes a lot of talent to download what most of us have never once run into.

Are they smoking crack?! This installer looks nothing like Adobe's official Flash updater.

I don't think they report intended to claim that the fake installer was a sufficiently close copy of the real flash installer to fool someone who knows what the real installer looks like - but rather that the use of Adobe logo etc and the overall appearance would be enough to fool someone either with less experience or paying less attention that it it a legitimate installer.

I have seem some malicious software installers that have obvious flaws in the interface that should make anyone think twice about continuing - then again, esp on the windows side I have seen legitimate installers that were so poorly crafted I thought twice about using the software.

By READING the article. If you don't have the crap in your Library, nothing's wrong.

And if you got Flash from Adobe, there's no way it could possibly be the trojan.

i was prompted to update. so i didn't get directly from adobe. but it looked like last update and is for 10.3
searching mac (command find) and using spotlight, i dont see library file. what do you think?

i was prompted to update. so i didn't get directly from adobe. but it looked like last update and is for 10.3
searching mac (command find) and using spotlight, i dont see library file. what do you think?

if infected, any anti malware software?

also i have mac firewall turned on. does that prevent this type of thing? thx

What does this mean? You being prompted to update doesn't immediately imply you didn't download the update from Adobe.

I think you'll need to go look for it manually since Spotlight doesn't look in Library folders.

READ THE ARTICLE. Remove the files and you'll be fine.

using search in finder and command f, i dont see file.
i looked in library and did not see. by prompted, i mean. i got a pop up saying new version of flash available. and it looked and worked exactly like previous flash updates. installer log shows install and everything seems normal as far as i can tell. is there some better way for me to find that file. let me know. thx

Oh, I see. You can't really find Mac trojans even if you're TRYING, can you?

It's not that hard to manually remove things anyway (on OSX or Windows) if you can see a process running. Both have functions for show all processes. You can pretty much identify stuff from there, not that I'm a Windows fan (I use a couple things without OSX versions so I've dealt with it).

The file Preferences.dylib is easy enough to find in the user library but once thrown into the trash it begins to wreak all sorts of havoc, to the point of eliminating the user trash folder from the underlying system architecture. The best way to deal with this, if you are as unfortunate as I to install it (from a link on a reputable e-commerce site, by the way) the best way to deal with it is as follows:
First, go to system preferences and make sure that automatic log in is switched off.

Second, create a root user and log in as the root user.

Third, delete your home account making sure to keep the home folder. It will remain in the Users folder but renamed usernamae(deleted)

Fourth, create a new user with the same user name as your original account. Give it the same password, even.

Finally, drag the contents of the old user folder into the new user folder. When you are prompted whether or not you want to replace a given folder, click yes and check the box that makes this action for all folders. This is your new user folder. Because Trash is not part of the user file structure, your old trash and it's contents won't follow you to the new account.

why not just open up the terminal and delete is using rm? None of the underlying OS services a file can access get invoked that way. It just goes away.

Sure not having to deal with the command line is a wonderful thing. But every once in a while a simple command can be immensely useful and far simpler than the GUI+services might make the endeavor otherwise.